Date: Thu, 24 Apr 2003 04:50:22 -0700 (PDT) From: Maxim Konovalov <maxim@macomnet.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5' matches fragmented icmp packets (fwd) Message-ID: <200304241150.h3OBoMfQ063646@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/51341; it has been noted by GNATS.
From: Maxim Konovalov <maxim@macomnet.ru>
To: bug-followup@freebsd.org
Cc:
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
matches fragmented icmp packets (fwd)
Date: Thu, 24 Apr 2003 15:43:12 +0400 (MSD)
Add to audit trail.
--
Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org
---------- Forwarded message ----------
Date: Thu, 24 Apr 2003 14:35:58 +0300
From: Andrey Lakhno <land@dnepr.net>
To: Maxim Konovalov <maxim@macomnet.ru>
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
matches fragmented icmp packets
Hello,
On Thu, 24 Apr 2003, Maxim Konovalov wrote:
> Could you please test a patch below? Thanks.
It works.
Thank you !
> Index: sys/netinet/ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.131.2.39
> diff -u -r1.131.2.39 ip_fw.c
> --- sys/netinet/ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39
> +++ sys/netinet/ip_fw.c 24 Apr 2003 11:12:02 -0000
> @@ -1434,7 +1434,7 @@
> struct icmp *icmp;
>
> if (offset != 0) /* Type isn't valid */
> - break;
> + continue;
> icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
> if (!icmptype_match(icmp, f))
> continue;
>
> %%%
--
Andrey Lakhno,
land-ripe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304241150.h3OBoMfQ063646>